PRIVACY NOTICE FOR SUPPLIERS 


Scottish Power UK Plc and its subsidiaries (together “Scottish Power”) has, in partnership with 
other members of its wider corporate group (the “Iberdrola Group”), developed a tool to 
manage its relations with suppliers interested in participating in tenders for the awarding of 
contracts with Scottish Power. This tool (hereinafter, indistinctly, the “Portal” and the “Register 
of Potential Suppliers and Suppliers”) is managed by Scottish Power’s parent company, Iberdrola 
S.A. and the information that it contains at any time as a result of interactions with third parties 
(interested suppliers, homologated suppliers and contracted suppliers) is accessible to all 
companies of the Iberdrola Group, some of which are established outside of the European 
Economic Area. The list of such companies can be accessed at 

https://www.ScottishPower.com/wcorp/gc/prod/en_US/corporativos/docs/IB_Annual_Financi 


al_Information.pdf 


Therefore, for the purposes of personal data protection laws and regulations, we inform you 
that any information about suppliers and potential suppliers that we obtain, whether as a result 
of a request to register in the Portal or otherwise, may result in such information being included 
in the Portal and being accessed by any member of the Iberdrola Group. 


ScottishPower commits to protect your privacy and to comply with applicable personal data 
protection laws and regulations, in particular, the General Data Protection Regulation (“GDPR”), 
the UK Data Protection Act 2018 and (and any updates to such legislation as a result of Brexit or 
otherwise). Your personal data will be processed in a lawful, fair and transparent manner; 
according to explicit and legitimate purposes; and only to the extent it is relevant and necessary 
for such purposes. In addition, we will keep your personal data accurate, up to date and for no 
longer than legally permitted. 


Scottish Power has implemented technical and organisational measures to protect your 
personal data from accidental loss and from unauthorised modification, access, use and 
disclosure. We have established procedures to respond in the event of a security incident that 
affects your personal data. 


Through this privacy notice we inform you about the processing of your personal data (a) during 
your contractual relationship with ScottishPower, and (b) after the conclusion of such 
relationship for the purposes of: (i) complying with the legal obligations to which Scottish Power 
may be subject (ii) for your continued registration as a supplier in the Register of Potential 
Suppliers and Suppliers (iii) to maintain historical information of the relations of ScottishPower 
with its suppliers and (iv) to consider you for future contracting processes of ScottishPower. 


If we update this privacy notice, we will notify you in a timely manner. 


In the event that, as a result of the contractual relationship with ScottishPower you provide us 
with third party data, for example, name, position and contact data of your employees, 
directors, officers, shareholders or representatives, you must, before providing us with their 
personal data, inform such third party about the processing of their personal data in accordance 
with the terms of this privacy notice. 


Who is responsible for processing your personal data? 
The data controllers of your personal data are (i) ScottishPower UK Plc, or such other member 


of the ScottishPower corporate group with whom you have a contractual relationship; and (ii) 
Iberdrola, S.A. as operator of the Portal. 


You may contact our Data Protection Officer at dataprotection_corporate@scottishpower.com 
What personal data do we collect and process from you? 
The personal data that we may collect from you belongs to the following categories: 


e Data of an identifying nature: names, passport details, tax identification number, 
foreigners’ identity number, postal address, landline/mobile telephone, email, image 
and signature. In case of the contact person, their professional email address, for 
authentication purposes. 

e Data related to personal characteristics: civil status, family data, date and place of birth, 
age, gender, nationality, languages. 

e Academic and professional data: professional activity, training, qualifications, 
professional experience, memberships in professional associations, occupation and job 
title. 

e Economic, financial and insurance data: Bank data for transfers and payments. 

e Business activities: services provided. 


We may request that you provide original documentation and deliver a copy of it, as evidence 
to support the information you have submitted. 


How do we collect your personal data? 


You provide us with your personal data when registering in the Register of Potential Suppliers 
and otherwise in your interactions with us. 


If you do not provide us with any requested personal data, we may not be able to register you 
as a supplier. We also be unable to comply with our contractual or statutory obligations. 


We ask that you update your personal data as it changes and to always provide accurate 
information, as we must have your current information. 


For what purposes do we process your data? 
Scottish Power will only process your personal data in accordance with the following purposes: 


a) Periodically verify that you comply with the requirements set out during the supplier 
qualification process when you registered as a supplier to Scottish Power. 

b) Manage your participation in purchasing processes. 

c) Maintenance, development and control, in all its aspects, of our relationship with you. 

d) Internal management of suppliers. 

e) Preparation of surveys, statistics and internal reports. 

f) Sending communications related to sustainability, ethics and compliance. 

g) Collection and payment management. 

h) Administrative management. 

i) Management of the coordination of business activities and prevention of occupational 
hazards and health and safety incidents. 

j) Submission of tax information. 

k) In connection with administrative and judicial proceedings and actions before public 
authorities. 


I) Management of complaints and inquiries, analysis of possible conflicts of interest and 
analysis of solvency, anti-corruption, fraud or related risks. 

m) Control of access to facilities and other security activities. 

n) In relation to business email addresses, ensuring user verification. 

o) Invitation to information sessions and supplier awards. 

p) To maintain records of previous agreements entered into between Scottish Power and you 
for assessment purposes in relation to future contracts. 

q) To comply with applicable legal, regulatory, governmental or judicial requirements, requests 
and orders. 


We will only use your personal data for the purposes for which it was collected, unless we 
reasonably consider that we need to use it for another reason and that reason is compatible 
with the original purpose. If you wish to obtain an explanation as to how the processing for the 
new purpose is compatible with the original purpose, please contact us. 


If we need to use your personal data for an unrelated purpose, we will notify you and explain 
the legal basis which allows us to do so. 


In relation to the purpose indicated in section |), specifically in relation to the risk analysis, we 
inform you that in the performance of such analysis we may use personal data of individuals 
(representatives, directors, officers or shareholders) linked to you which is legitimately obtained 
from public records or some companies as or of some companies as Refinitiv 
rivacy-statement, or Dow 






persons that their data will be processed in accordance with this privacy notice. 


What is the legal basis for the data processing? 


The legal basis for the processing of your data, for the purposes indicated in sections a), b), c), 
and g), if the personal data belongs to the contact persons or representatives of a supplier that 
is a corporate entity, it is the legitimate interest of ScottishPower in managing existing and 
future relations with such supplier. If the personal data belongs to a supplier that is an individual, 
the legal basis for the processing is the performance of the contractual relationship. 


The legal basis for the processing of personal data for the purposes indicated in sections i), j) 
and q) is to comply with legal obligations. 


The legal basis for the processing of personal data for the purposes indicated in section |) is the 
public interest and the legitimate interest of Scottish Power in the creation and maintenance of 
information systems through Scottish Power can be made aware of acts that contravene laws 
or the internal policies of Scottish Power or Iberdrola. 


The legal basis for the processing of personal data for the purposes indicated in section m) is the 
public interest in preserving the security of people and property, as well as of the facilities of 
Scottish Power and the legitimate interest in controlling access to such facilities to guarantee 
their security and the security of people and property. 


The legal basis for the processing of personal data for the purposes indicated in sections d), e), 
f), h), k), n), o) and p) is the legitimate interest of Scottish Power in, respectively, (i) adequately 
administering and organizing our relations with suppliers, (ii) improving relationships with 
suppliers and obtaining related statistics, (iii) promoting awareness regarding sustainability, 
ethics and compliance, (iv) maintaining an adequate internal management of the ScottishPower 


corporate group, (v) defending legal claims, (vi) managing the security of our computer 
networks, ethical compliance including the prevention of fraud and money laundering, (vii) 
inviting you to events and (viii) keeping records of contracts to facilitate future agreements with 
you. 


Please note, we may process your personal data for more than one legal basis, depending on 
the specific purpose for which we are using your data. Please contact us if you need details 
about the specific legal ground we are relying on to process your personal data. 


How long do we store your data? 


Personal data processed for the purposes specified in b), c), d), g), h), i), j), k), I), n) and q) will be 
kept for the period of time necessary to comply with the purpose for which it was collected and 
in any case until the end of the contractual relationship. Personal data may be kept after that, 
until after the expiration of the statute of limitations of any potential obligations or liabilities 
that ScottishPower may have. 


Personal data processed for the purposes envisaged in paragraph a) shall be kept for as long as 
the supplier maintains the status of authorised supplier and provided that it has not notified 
ScottishPower its decision not to participate in future tenders organized by ScottishPower. 


Personal data processed for the purposes set for in letter e) will be kept until the finalisation of 
the survey, statistic or report. 


Personal data processed for the purposes set forth in letters f) and o) will be kept until the time 
you exercise your right to oppose to the processing. 


Personal data processed for the purposes of complying with the purposes set forth in letter m) 
will be kept for one month from the date it was collected, at which time it will be deleted unless 
necessary to keep such information for evidential purposes. 


Personal data collected for the purposes intended in paragraph p), shall be kept by 
ScottishPower beyond the termination of the agreement and for as long as you have an interest 
in being engaged by ScottishPower provided that, accordingly, you have not objected to such 
use of the personal data. 


Who will receive your data? 


Your personal data may be shared with third parties and public authorities (i) when necessary 
for the management, performance or enforcement of our contractual relationship, including 
where required to comply with our obligations or exercise our rights, (ii) if we are required to 
do so by law or regulation, or (iii) to comply with court orders, legal, governmental, judicial or 
regulatory requests. 


We may share your data in connection with corporate transactions, including during the course 
of due diligence processes related to such transactions. 


Your personal data will be accessible by affiliates and third parties that provide services related 
to our contractual relationship such as information services on creditworthiness or credit risk, 
billing and payment services, accounts payable management, consulting services and 
preparation of reports and reporting, computer services, training services, surveillance and 


security services. We sign contracts with third party service providers which regulate their 
obligations as data processors. 


Your personal data may be communicated to Iberdrola Group companies that may be interested 
in contracting with you. Such companies of the Iberdrola Group are those listed on the corporate 
website:https://www.ScottishPower.com/wcorp/gc/prod/en_US/corporativos/docs/IB_Annua 


|_Financial_Information.pdf 


Where your personal data is transferred to companies of the Iberdrola Group located outside of 
the European Economic Area (EEA), ScottishPower will ensure that such transfer is made in 
accordance with GDPR, that is, in accordance with an appropriate safeguard. 


All data transfers that occur within the Iberdrola Group are carried out in accordance with the 
applicable data protection laws and our Binding Corporate Rules (BCRs). The Iberdrola Group’s 
BCRs reflect European legislation on data protection (General Data Protection Regulation) and 
means that all companies in our Group have to comply with the same internal rules. You can 
download a copy of the Iberdrola’s BCR here. 


In any case, transfers of personal data will take place in accordance with the applicable legal 
basis and respecting the principles of fairness, loyalty, transparency and purpose limitation, 
among others. You may, at any time, contact ScottishPower to find out the specific measures 
that have been implemented for the adequate and appropriate protection of your personal data, 
as well as the fact that they have been implemented. 


What are your rights? 


You have the right of access to your personal data, as well as to request the rectification of 
inaccurate data or, where appropriate, to request its erasure when data is no longer necessary 
for the purposes for which it was collected, in addition to exercising the right to object and 
restrict the processing and data portability. 


You can exercise these rights by writing us at dataprotection corporate@scottishpower.com or 
Data Protection Officer, Scottish Power UK Plc, 320 St Vincent Street, Glasgow, G2 5AD. 


You also have the right to file a complaint with the Information Commissioner’s Office if you are 
dissatisfied with the response provided by ScottishPower regarding the exercising of any of your 
rights. 


Information Commissioner’s Office 
Wycliffe House 

Water Lane 

Wilmslow 

SK9 5AF 


0303 123 1113 


